Slashdot Mirror

← Back to Stories (view on slashdot.org)

Lost Credit Data Improperly Kept, Company Admits

Posted by timothy on from the just-researching-your-privacy-loss-tolerance dept.

Zak3056 writes "Last week, Mastercard announced that up to 40,000,000 credit card numbers may have been compromised by one of their processing companies. Today, the New York Times (registration, along with first born child, required) is reporting that the company in question, CardSystems Solutions, should not have been retaining that data to begin with. John M. Perry, CEO of the processor in question, claims the data was merely being kept for 'research purposes.' The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."

23 of 272 comments (clear)

  1. Slight difference? by jez9999 · · Score: 4, Interesting

    Am I reading this correctly? 40 million down to just over 60 thousand? I mean, if the latter figure is correct, this is a MUCH different (less major) story.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:Slight difference? by Tuxedo+Jack · · Score: 5, Insightful

      Even so, the issue is that it was still improperly retained - and that corporate America isn't giving a damn about security for the average joe's accounts and such.

      --

      Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
    2. Re:Slight difference? by alan_dershowitz · · Score: 4, Interesting
      Well, that's kind of true and kind of not. The credit card companies are a few days from requiring vendor compliance with a strict standard for credit card information processing and storage. Basically, if you are not implementing this security standard, you will not be able to use credit cards in your place of business. (this is for online businesses and Point of Sale service providors, not like restaurants and stuff.)

      CISP and PCI compliance

      If data in a vendor's system is compromised, Visa and Mastercard will charge fines upward of a hundred thousand dollars per violation, and by the time a third violation occurs, your place of business may be denied use of credit card services permanently.

      That's a good thing for everyone, but when crap like this happens it pisses me off. Credit Card companies are (correctly) requiring the strictest standards for storing cardholder data by vendors, but at the same time they themselves are losing 40 million cardnumbers, losing unencrypted backup tapes in shipping, etc. What pisses me off is that if I screw up and lose a credit card number into the wild, I get fined 100K. If they lose 40 million cards, what are they gonna do, fine themselves?

  2. No Reg Link by OverlordQ · · Score: 4, Informative

    I'm sure it's been mentioned every time a NYT article is posted, but use the NYT Link Generator .

    Btw, NoReg for this article.

    --
    Your hair look like poop, Bob! - Wanker.
  3. Credit Card Doublespeak by Qzukk · · Score: 5, Informative
    "The number of compromised Master Card accounts has been revised downward to about 68,000, with another 132,000 possibly compromised accounts belonging to Visa, American Express, and other companies."
    Should be read as
    "The number of compromised Master Card accounts from accountholders in California where we actually have to report this is about 68,000. Another 132,000 people in California with Visa, American Express, and other credit card companies' cards also had their account information taken"
    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  4. this is not an error by nilbog · · Score: 5, Funny

    This isn't an error at all, it's actually a *feature* of your credit card agreement. Gets your card number out there so you don't have to bother giving it to retailers - they already have it!

    --
    or else!
  5. Re:Full text of the article by w98 · · Score: 5, Funny
    As for the sensitive data, he added, "We no longer store it on files."
    Now they store it on tape so UPS can lose it instead.


    --
    my geeklog
  6. Lawsuit by fdiskne1 · · Score: 4, Interesting

    Can you say "lawsuit"? This was a total lapse in judgement in keeping data they shouldn't have compounded with the fact that they didn't secure their network. I'd place money on this company not surviving this error. Even if the loss of money in settlements doesn't break them, I'd bet they will lose most of their future business because of this (and rightly so).

    --
    But why is the rum gone?
    1. Re:Lawsuit by griffjon · · Score: 4, Funny

      I'd place money...

      Hey, for betting; do you take credit cards?

      --
      Returned Peace Corps IT Volunteer
  7. Ad Free Link by ravenspear · · Score: 4, Informative

    Here is the reg free and "fricken huge flash ad skip" link.

  8. This isn't working out.. by aero2600-5 · · Score: 4, Insightful

    Apparently, keeping credit card numbers secure isn't working out. Why? Because it's just a number. The major credit companies need to revise how the whole credit system works. If they assume that everyone knows everyone else's credit card number by default, they should be able to devise a system a hell of a lot more secure than some 16 digit number. Your credit card number has to be retained by anyone you do business with so that they know who you are. Credit card security needs some major improvements, like a passphrase, password, or even a PIN. A 4-digit PIN would make a world of difference, but if you're going to fix it, you should fix it right. A passphrase would be best. Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained. The fact that a system of this nature is not yet in place just shows that the major credit card companies just don't give a shit.
    /end rant

    Aero

    --
    Please stop hurting America -- Jon Stewart
    1. Re:This isn't working out.. by bracher · · Score: 4, Insightful

      I agree that something more secure than a 16-digit number is certainly feasible and needed. But it shouldn't be something that needs to be passed through a third party. The card should be a smart card capable of signing a transaction, and only the signature should be transmitted.

      Something that's communicated when the authorization is taking place, checked against a nice secure server, and then is forgotten and not retained.

      The essential point you're missing here is that, currently, your 16-digit card number _is_ this something. The core of the problem (this time at least) is that the processing company wasn't following those rules. What keeps them from holding on to your passphrase for 'analysis'?

    2. Re:This isn't working out.. by Stonehand · · Score: 4, Insightful

      Well, judging by the article, Mastercard specifically told the processor *not* to retain information -- and the latter did, anyway. The policy already existed.

      No, to block things you'd need to do more than tell them not to retain information. You'd need to make sure that even if they did, it was useless. This might point towards requiring people to generate one-time passwords, which would probably be a fair expensive.

      --
      Only the dead have seen the end of war.
  9. NYT ?? What gives by Rac3r5 · · Score: 5, Informative

    I don't wanna be a troll here, but please, there are a dozen other sites that have the same article. Do we have to rely on a site that requires u to log in?
    http://www.internetnews.com/security/article.php/3 513866/

  10. It's like the commercials by jim_v2000 · · Score: 5, Funny

    Internet connection - $30
    Homemade Computer - $700
    2 Liters of Mountain Dew - $2

    Stealing 40 Million people's credit card information with your 1337 h@x0r s|i77z - Priceless.

    There's somethings that money can't buy, but for everything else, there's MasterCard.

    --
    Don't take life so seriously. No one makes it out alive.
  11. Not Surprising by ravenspear · · Score: 4, Interesting

    It makes sense that the companies that are retaining CC data improperly would be the ones most likely to allow it to be compromised.

    The security of the data is nothing more than a second thought to many of these companies. If they feel they can keep around a huge data mine of everyone's data they can get their hands on, in violation of the proper procedures, it should come as no surprise that they wouldn't be that vigilant in securing it properly.

  12. Support legislation making this a crime. by Bamfarooni · · Score: 4, Interesting

    Once again, evidence that there should be criminal penalties for improper handling of personal information. If you collect it, you better make sure it's safe. Otherwise, stop collecting it.

  13. Not just one by Roadkills-R-Us · · Score: 4, Interesting

    According to the article, the company in question has *never* been in compliance with MC's security rules. Since MC is supposedly doing audits and all, why have they not terminated the account and awarded it to someone else? They're leaving themselves wide open, and they're a much bigger target than the company that got caught.

  14. Why are they still in business? by stinerman · · Score: 5, Insightful

    From TFA:

    Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

    Asked about compliance with Visa's standards, a Visa spokeswoman, Rosetta Jones, said, "This particular processor was not following Visa's security requirements when we found out there was a potential data compromise."

    Question:

    Why is CardSystems Solutions still a processor for Visa and MasterCard?

    1. Re:Why are they still in business? by jimicus · · Score: 4, Funny

      Why is CardSystems Solutions still a processor for Visa and MasterCard?

      Because the CEO's PA gives good head to visitors.

  15. An interesting data analysis problem by G4from128k · · Score: 4, Interesting

    The article alludes to fraudulent activity starting back in mid-April leading to an investigation of this particular card processor in mid-May. That suggests that the card companies do some rather interesting statistical analyses on fraud patterns to find commonalities. In this case, they were able to detect that an unusual number of cards with fraudulent transactions had, at some point, a transaction that shared a common card processor sometime in the past.

    Obviously, someone (I assume its Mastercard, Visa, etc.) is storing sufficient volume of historical transactions (including metadata such as the 3rd-party transaction processor) to analyze patterns such as this. With some 60 billion card transactions per year worldwide, this would make for a very large dataset and a very interesting analysis problem.

    --
    Two wrongs don't make a right, but three lefts do.
  16. Moral Hazzard? by DaveInAustin · · Score: 5, Interesting

    This story on npr says that the credit card companies can actually wind up making money when a fraudulent charge is made. Does this create an incentive for them to keep things safe?

    --
    --- http://davidnehme.blogspot.com
  17. When will these companies be held responsible? by Todd+Knarr · · Score: 5, Interesting

    That's what I want to know: when will companies that mishandle data like this be held 100% responsible to the people whose data they mishandled for the losses, fraud, etc.? I'm of the opinion that only when mishandling data results in actual financial consequences to the mishandler will things change.